11.2 Discussion


When installing MS Windows NT4/200x on a computer, the installation program creates default users and groups, notably the Administrators group, and gives that group privileges necessary privileges to perform essential system tasks , such as the ability to change the date and time or to kill (or close) any process running on the local machine.

The Administrator user is a member of the Administrators group, and thus inherits Administrators group privileges. If a joe user is created to be a member of the Administrators group, joe has exactly the same rights as the user, Administrator .

When an MS Windows NT4/200x/XP machine is made a Domain Member, the " Domain Admins " group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Administrators group inherits the rights of the local Administrators group when logging on the workstation.

The following steps describe how to make Samba PDC users members of the Domain Admins group?

  1. Create a UNIX group (usually in /etc/group ), let's call it domadm .

  2. Add to this group the users that must be " Administrators ". For example, if you want joe , john and mary to be administrators, your entry in /etc/group will look like this:

     
     domadm:x:502:joe,john,mary 
  3. Map this domadm group to the " Domain Admins " group by running the command:

     
     root# net groupmap add ntgroup=Domain Admins UNIXgroup=domadm 

The quotes around " Domain Admins " are necessary due to the space in the group name . Also make sure to leave no white-space surrounding the equal character (=).

Now joe , john and mary are domain administrators.

It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as making any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:

 
 root# net groupmap add rid=1000 ntgroup="Accounting" UNIXgroup=acct 

Be aware that the RID parameter is a unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you.

11.2.1 Default Users, Groups and Relative Identifiers

When first installed, Microsoft Windows NT4/200x/XP are preconfigured with certain User, Group, and Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued integrity of operation. Samba must be provisioned with certain essential Domain Groups that require the appropriate RID value. When Samba-3 is configured to use tdbsam the essential Domain Groups are automatically created. It is the LDAP administrators' responsibility to create (provision) the default NT Groups.

Each essential Domain Group must be assigned its respective well-kown RID. The default Users, Groups, Aliases, and RIDs are shown in Table 11.1.

N OTE

graphics/round_pencil.gif

When the passdb backend uses LDAP ( ldapsam ) it is the admininstrators' responsibility to create the essential Domain Groups, and to assign each its default RID.


It is permissible to create any Domain Group that may be necessary, just make certain that the essential Domain Groups (well known) have been created and assigned its default RID. Other groups you create may be assigned any arbitrary RID you care to use.

Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group will be available for use as an NT Domain Group.

11.2.2 Example Configuration

You can list the various groups in the mapping database by executing net groupmap list . Here is an example:

 
 root# net groupmap list 
Table 11.1. Well-Known User Default RIDs

Well-Known Entity

RID

Type

Essential

Domain Administrator

500

User

No

Domain Guest

501

User

No

Domain KRBTGT

502

User

No

Domain Admins

512

Group

Yes

Domain Users

513

Group

Yes

Domain Guests

514

Group

Yes

Domain Computers

515

Group

No

Domain Controllers

516

Group

No

Domain Certificate Admins

517

Group

No

Domain Schema Admins

518

Group

No

Domain Enterprise Admins

519

Group

No

Domain Policy Admins

520

Group

No

Builtin Admins

544

Alias

No

Builtin users

545

Alias

No

Builtin Guests

546

Alias

No

Builtin Power Users

547

Alias

No

Builtin Account Operators

548

Alias

No

Builtin System Operators

549

Alias

No

Builtin Print Operators

550

Alias

No

Builtin Backup Operators

551

Alias

No

Builtin Replicator

552

Alias

No

Builtin RAS Servers

553

Alias

No

 
 Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest 

For complete details on net groupmap , refer to the net(8) man page.



Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net